mirror of
https://github.com/bigbluebutton/docker.git
synced 2024-12-23 23:28:57 +01:00
SIP port access for allowlist only
This commit is contained in:
parent
7f375832e8
commit
38dbfa8528
@ -32,6 +32,8 @@ services:
|
||||
environment:
|
||||
DOMAIN: ${DOMAIN}
|
||||
EXTERNAL_IP: ${EXTERNAL_IP}
|
||||
SIP_IP_ALLOWLIST: ${SIP_IP_ALLOWLIST}
|
||||
NETWORK_INTERFACE: ${NETWORK_INTERFACE:-}
|
||||
volumes:
|
||||
- ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
|
||||
- ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
|
||||
|
@ -49,7 +49,8 @@ RUN apt-get update && apt-get install -y \
|
||||
freeswitch-mod-spandsp \
|
||||
freeswitch-mod-tone-stream \
|
||||
freeswitch-mod-verto \
|
||||
freeswitch-sounds-en-us-callie
|
||||
freeswitch-sounds-en-us-callie \
|
||||
iptables
|
||||
|
||||
# Potentially missing
|
||||
# (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064)
|
||||
|
@ -1,5 +1,20 @@
|
||||
#!/bin/bash
|
||||
|
||||
# remove all SIP (port 5060) iptable rules
|
||||
iptables -S INPUT | grep "\-\-dport 5060 " | cut -d " " -f 2- | xargs -rL1 iptables -D
|
||||
|
||||
# block requests to 5060 (tcp/udp)
|
||||
iptables -A INPUT -i "$NETWORK_INTERFACE" -p tcp --dport 5060 -s 0.0.0.0/0 -j REJECT
|
||||
iptables -A INPUT -i "$NETWORK_INTERFACE" -p udp --dport 5060 -s 0.0.0.0/0 -j REJECT
|
||||
|
||||
# allow some IPs
|
||||
IFS=',' read -ra ADDR <<< "$SIP_IP_ALLOWLIST"
|
||||
for IP in "${ADDR[@]}"; do
|
||||
# process "$i"
|
||||
echo "allow port 5060/udp for $IP"
|
||||
iptables -I INPUT -p udp --dport 5060 -s $IP -j ACCEPT
|
||||
done
|
||||
|
||||
dockerize \
|
||||
-template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
|
||||
/usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf
|
||||
|
@ -47,6 +47,12 @@ STUN_PORT=3478
|
||||
#TURN_SERVER=turns:turn.example.com:443?transport=tcp
|
||||
#TURN_SECRET=
|
||||
|
||||
# Allowed SIP IPs
|
||||
# due to high traffic caused by bots, by default the SIP port is blocked.
|
||||
# but you can allow access by your providers IP or IP ranges (comma seperated)
|
||||
# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
|
||||
SIP_IP_ALLOWLIST=
|
||||
|
||||
|
||||
# ====================================
|
||||
# CUSTOMIZATION
|
||||
|
Loading…
Reference in New Issue
Block a user